Let me know if this stops it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKU\S-1-5-21-1051667977-3788622818-547820116-1000\...\Run: [MOVIE_20151012] => wscript.exe //B "C:\Users\ste\AppData\Roaming\MOVIE_20151012.AVI.WEBM.FLV_UCNUY389NCU52389Y5UC9823NYC589NY3289C5NY2389CY53NY58923YNC895N3Y298C5YN8239NYC5892YN59N825N2985N92592N59N2895NY239.vbs"
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => No File
Startup: C:\Users\ste\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MOVIE_20151012.AVI.WEBM.FLV_UCNUY389NCU52389Y5UC9823NYC589NY3289C5NY2389CY53NY58923YNC895N3Y298C5YN8239NYC5892YN59N825N2985N92592N59N2895NY239.vbs [2015-10-12] ()
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.oursurfing.com/?type=hp&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.oursurfing.com/?type=hp&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.oursurfing.com/web/?type=ds&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.oursurfing.com/web/?type=ds&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.oursurfing.com/?type=hp&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.oursurfing.com/?type=hp&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.oursurfing.com/web/?type=ds&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.oursurfing.com/web/?type=ds&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z&q={searchTerms}
HKU\S-1-5-21-1051667977-3788622818-547820116-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.oursurfing.com/?type=hp&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.oursurfing.com/web/?type=ds&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.oursurfing.com/web/?type=ds&ts=1435874642&z=24888b5809de05f79c6fe45gbz5c8w7bemez1qec1w&from=2sq&uid=SamsungXSSDX840XEVOX120GB_S1D5NSBDA89697Z&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1051667977-3788622818-547820116-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
FF HKLM-x32\...\Firefox\Extensions: [searchffv2@gmail.com] - C:\Users\ste\AppData\Roaming\Mozilla\Firefox\Profiles\vxcoykt2.default\extensions\searchffv2@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [sweetsearch@gmail.com] - C:\Users\ste\AppData\Roaming\Mozilla\Firefox\Profiles\vxcoykt2.default\extensions\sweetsearch@gmail.com
U3 aul7ho2a; C:\Windows\System32\Drivers\aul7ho2a.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder)
2015-10-13 00:05 - 2015-10-12 17:29 - 00015223 _____ C:\Users\ste\AppData\Roaming\MOVIE_20151012.AVI.WEBM.FLV_UCNUY389NCU52389Y5UC9823NYC589NY3289C5NY2389CY53NY58923YNC895N3Y298C5YN8239NYC5892YN59N825N2985N92592N59N2895NY239.vbs
2015-10-13 00:05 - 2015-10-12 17:29 - 0015223 _____ () C:\Users\ste\AppData\Roaming\MOVIE_20151012.AVI.WEBM.FLV_UCNUY389NCU52389Y5UC9823NYC589NY3289C5NY2389CY53NY58923YNC895N3Y298C5YN8239NYC5892YN59N825N2985N92592N59N2895NY239.vbs
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Download Anti VBS/VBE to your desktop
[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report
Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run
FINALLY
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
